infra/ansible-role-ssh
4
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add freebsd support, fix template

Browse source
This commit is contained in:
nd 2019-06-25 22:24:46 +01:00
parent 0df06810fc
commit 6e5f0d0726
No known key found for this signature in database
GPG key ID: 21B5CD4DEE3670E9
3 changed files with 5 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

9
templates/ssh_sshd_config.j2
View file

@ -32,13 +32,8 @@ AuthenticationMethods publickey
# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
LogLevel VERBOSE
# Root login should not be allowed for auditing reasons. This is because it's difficult to track which process belongs to which root user:
#
# On Linux, user sessions are tracking using a kernel-side session id, however, this session id is not recorded by OpenSSH.
# Additionally, only tools such as systemd and auditd record the process session id.
# On other OSes, the user session id is not necessarily recorded at all kernel-side.
# Using regular users in combination with /bin/su or /usr/bin/sudo ensure a clear audit track.
PermitRootLogin yes # but we need it to login from dom0
PermitRootLogin yes
UseDNS no
# Use kernel sandbox mechanisms where possible in unprivilegied processes
# Systrace on OpenBSD, Seccomp on Linux, seatbelt on MacOSX/Darwin, rlimit elsewhere.